Port Knocking applied to websites

If you're unfamiliar with Porting Knocking, it's a simple concept that can add a layer of security to your server. If you run a linux server that's accessible on the Internet you'll see your logs fill up with bots trying to brute force the passwords. Changing the default port helps but still leaves you open to port scans. Fail2Ban, a script which monitors login failures and adds firewall rules to block people who have failed to login too many times also helps. Finally configuring static firewall rules so that only a few select IPs can access the site in the first place helps too. So back to Port Knocking. The technique works by not exposing the ssh port but listening for random packets arriving at the host. The host silently monitors what, to the outside world, looks like closed ports but when the correct secret combination has been entered, the ssh port is unlocked for that IP address. What this security by obscurity gives you is protection against zero day, or unpatched exploits against the server in the case that the login screen can be bypassed or other mechanical flaws where the server can be compromised.

I've written a module for nginx that takes the concept of "Port Knocking" and applies it to websites. When you visit a configured nginx website, it returns a 404 "page not found" error. However if you go to secret urls, even though they all, on the service appear to return 404, you are secretly handshaking with nginx. After you've hit the magic combination you ip is logged server side, and you're allowed to the visit the site (that is, it returns content instead of 404). The benefits include:

The more I think about the concept, the more sense it seems to make. Especially when you're hosting third party software like Wordpress, Roundcube and so-forth. It's hard to know if changing the web port is going to guard against port-scanning bots. It's hard to trust each web application implements a fail2ban like solution. It's annoying to limit the IPs of who can log in if you plan on really taking advantage of "cloudy" software. My simple Nginx module can sit in front of any web application and provide the solution.

Check out a video demonstration I made here

Writing the code was a lot of fun. The code and more information is available on git repo here